04-27-2009 09:01 AM - edited 03-06-2019 05:24 AM
Hi All,
We have a Cat-3550 with a route-map for a SVI (VLAN 1) to redirect the traffic. Everything is fine except for the fact the traffic to the other VLANs are also routed the same way with additional hop. I would like to exclude this using a deny statement but for some reason that doesnt seem to work. Please find the config details below:
interface Vlan1
ip address 10.18.1.2 255.255.255.0
ip directed-broadcast
ip policy route-map server
no ip mroute-cache
end
route-map server permit 10
match ip address servers
set ip next-hop 10.18.122.6
ip access-list extended servers
permit ip 10.18.1.0 0.0.0.255 any
New config (which doesnt work)
route-map newserver deny 10
match ip address 199
!
route-map newserver permit 20
match ip address servers
set ip next-hop 10.18.122.6
access-list 199 permit ip 10.18.1.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 199 permit ip 10.18.1.0 0.0.0.255 10.18.3.0 0.0.0.255
access-list 199 permit ip 10.18.1.0 0.0.0.255 10.18.4.0 0.0.0.255
access-list 199 permit ip 10.18.1.0 0.0.0.255 10.18.5.0 0.0.0.255
What am i missing here. Thanks in advance,
Cheers
subra
04-27-2009 09:23 AM
Subra,
Your configuration looks good to me. You want to deny switching between Vlans to let them go using the normal routing table.
You may use a "debup ip policy" command to see what's going on.
Well, in case it really doesn't work. You may think about other ways.
!
route-map newserver permit 10
match ip address only-for-server
set ip next-hop 10.18.122.6
ip access-list extended only-for-server
deny ip 10.18.1.0 0.0.0.255 10.18.2.0 0.0.0.255
deny ip 10.18.1.0 0.0.0.255 10.18.3.0 0.0.0.255
deny ip 10.18.1.0 0.0.0.255 10.18.4.0 0.0.0.255
deny ip 10.18.1.0 0.0.0.255 10.18.5.0 0.0.0.255
permit ip 10.18.1.0 0.0.0.255 any
!
HTH,
Toshi
04-27-2009 09:52 AM
Cheers mate. It works.................
04-27-2009 09:24 AM
Why not just add a "deny" statement to the front of your "permit" statement in the ip access-list extended servers access list?
04-27-2009 09:27 AM
Bret,
Are you really thinking about that way? If so, 5P! for you anyway! heheheh..
Toshi
04-27-2009 09:58 AM
LOL, that's what I get for walking away before hitting the post button. One minute!
04-27-2009 11:34 AM
bret,
Maybe less than one minute! (grin)
Good job,Man
Toshi
05-04-2009 01:49 AM
no
05-04-2009 01:54 AM
I found the Details of the ip-address on the site http://www.ip-details.com/ Is there any website to know the details of the Ip-address owner.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide